OpenStack / Cloud / Virtualizaton / Linux

Introduction to AIDE – Advanced Intrusion Detection Environment

Ever heard of AIDE, neither had I. Apparently its a simple intrusion detection application that can be used to monitor file changes. It can be confired to monitor permission, ownership, timestamp, or content changes.

Lets install it. Its in the stock Redhat repos, so its a piece of cake to install via yum.

[root@localhost ~]# yum -y install aide

Once installed, you can tweak the config file (/etc/aide.conf) to your liking. The stock config is pretty robust, so I am going to trim it down a bit and just monitor /etc for permission changes, and /bin for what are defined as normal changes. Normal looks at file hashes to see if the files have been modified.

/bin NORMAL/etc PERMS

Now lets start aide

[root@localhost ~]# aide –init

AIDE, version 0.15.1

### AIDE database at /var/lib/aide/aide.db.new.gz initialized.

Now this part is silly, we need to rename the database created above to the name that aide is configured to use.